Security has become a major differentiator when it comes to the design of various types of consumer electronics, such as e.g. mobile and smart telephones, media players, residential gateways, as well as various types of networked sensors. Similarly, different kinds of embedded systems are used for controlling various types of security critical functions applied in both mobile and fixed networks, in vehicles and in control systems, such as e.g. power plant control systems.
Security concerns for embedded systems may range from reliability, requiring e.g. a high uptime, a robust execution and a reliable network access, to a high protection from software attacks, including e.g. viruses and Trojans.
What is currently experienced could be referred to as a boost in the embedded software domain with respect to the number of services and usage of open software. However, open software platforms and operating systems also give more freedom and power to fraudulent attackers, especially since source code documentation and common hacking tools are becoming more and more accessible. Today we therefore also see a boost in exposure to mobile viruses and network attacks, especially targeting mobile devices and sensitive infrastructure embedded devices. One could therefore expect an even increased threat to all types of embedded systems in the future.
Moreover, large open software systems subject to frequent updates are increasingly being expected to run on various types of embedded devices. In order to better protect such systems, there is a strong need for partitioning in order to isolate security critical functions or services from non-security critical functions/services, as well as for providing for a reliable monitoring of secure system properties.
Virtualization is a technology where the use of a hypervisor, which may alternatively be referred to as a Virtual Machine Monitor (VMM), enables embedded devices not only to consolidate hardware and scale capacity to meet varying loads but also to host one or more Operating Systems (OS) and accompanying software stacks.
In addition, a hypervisor is, when run at the most privileged execution level on a device and with the help of basic hardware protection mechanisms which are normally available on most platforms, providing a powerful approach to both secure isolation for security critical data associated with security critical functions and monitoring of the security critical functions. As a hypervisor typically has full control of memory usage and access to hardware resources on a platform, on which it resides, it has the ability to isolate security critical functions, running as what is typically referred to as virtual machines, from non-security critical functions. Furthermore, a hypervisor can make sure that non-security critical functions do not get access to sensitive memory regions or hardware peripherals. In addition, a hypervisor typically also has full control of all information that is allowed to flow between secure and non-secure execution domains on a platform.
Virtualization obtained through the usage of hypervisors is an old technology which, after having been almost abandoned during 1980s and 1990s, was rediscovered when virtualization by binary translation was introduced by VMware. More information on virtualization and virtual platforms can be found at http://www.vmware.com, available 2011, Mar. 17.
In the context described below virtualization technology is to be referred to as an approach where a complete software system, including an OS, runs on top of a hypervisor, giving the illusion to a guest system of actually running directly upon the real hardware. Such a virtualization application is often also referred to as a system virtualization.
Virtualization can be achieved by using a hypervisor with different approaches, such as e.g. binary translation, hardware-assisted virtualization based on the x86 architecture, enabling multiple OSs to simultaneously share x86 processor resources in a safe and efficient manner, or paravirtualization, where the actual guest code is modified to enabling use of a different interface that is either safer or easier to virtualize and/or that improves performance. Currently, advanced hardware support for virtualization is still lacking in most embedded architectures, thereby making paravirtualization or binary translations the most viable approaches of virtualization. Well known examples of virtualization solutions for embedded systems include Red Bend Softwares Hypervisor, available at www.redbend.com 2011, Mar. 17 and OKL4 secure kernel, available at www.ok-labs.com/products/okl4-microvisor 2011, Mar. 17. System virtualization is also described in J-Y Hwang et al. “Xen on ARM:System Virtualization using Xen Hypervisor for ARM-based Secure Mobile Phones”, 5th IEEE Consumer Communications and Network Conference.
In none of the examples given above a hypervisor has been introduced purely for security purposes, but rather for more general purposes, providing possibilities to run legacy software on new hardware and/or the possibility of running several OSs in parallel on the same hardware.
A related but different approach, compared to pure virtualized technologies, is the ARM TrustZone technology, available at http://www.arm.com/products/processors/technologiesitrustzone.php, which describes a solution suitable for ARM11 and ARM Cortex embedded processors. TrustZone offers support for creating two securely isolated virtual cores, or “worlds”, on a single real core, where one world is considered to be Secure, while the other world is Normal. TrustZone manages transitions between these worlds through hardware interrupts and a so called “monitor” mode, which prevents a present state or data from leaking from the Secure world to the Normal world. System hardware, including memory and peripherals, can be allotted to each world.
The security advantages realized by introduction of a hypervisor to the embedded system mentioned above come with the cost of performance penalties. Advanced hardware virtualization support or extensive use of paravirtualization may reduce the performance penalties, but not completely remove them. However, due to efficient software porting requirements, it is appreciated if paravirtualization can be avoided to as large extent as possible. Similarly, even with advanced hardware virtualization, the performance penalties might be unacceptable. In particular, this is a considerable problem in tiny embedded systems having very limited capacity. On the other hand, security critical functions are typically not running continuously, but are often only needed occasionally to perform one or more critical tasks on the system. It is therefore a desire to limit or restrict the use of a virtualized system to occasions when such a system is beneficial.